you know that 95% of all successful
cyberattacks begin with a phishing scam?
that’s just one type of social
engineering, a hacking method that puts us, our families, and our businesses at
risk on a daily basis.
unfortunate truth is that our personal information has a hard dollar value, and
bad actors are relentless when it comes to finding new ways to trick us into
divulging this information to them. The good
news, however, is that we are in a good position to avoid falling victim to
these scams if we know what to look out for.
we’ll walk you through what social engineering is, and our top 10 tips for staying
is social engineering?
engineering” is when malicious parties exploit human trust or error to gain access
to valuable information including passwords, credit card information, banking
information, Social Security Numbers, and more.
the hacker will manipulate us into handing over this information via email,
phone, fake website, or otherwise. Other times they’ll find ways to put malware
onto your computer, which gives them direct access to your information and
possibly even full control of your machine.
scams can be carried out many different ways, including:
- Phishing emails
- Vishing (voice phishing)
- USB “plants”
- Fake IT support calls (“quid pro quo”)
- Fake sales/deals (“baiting”)
Here’s a fascinating (and scary!) example of vishing that shows how easy it can be to execute one of these scams.
As troubling as these hacks are, the right education can do wonders to help us stay safe. Below are some security best practices you can follow to help minimize your risk.
Top 10 tips to avoid social engineering hacks
avoid these dangerous scams, follow these tips.
- Learn how to identify phishing emails and DELETE them. Spam filters are not foolproof, and scam emails will get through to your inbox. Know the red flags that identify emails that are likely scams. We have an infographic on this you can download (and hang on your whiteboard or office fridge!) here.
- Be suspicious of ALL requests—email or phone—for sensitive information. Even if a request for information appears to come from a company or a person you trust, don’t take it at face value. If a request comes over the phone, hang up and call them back on a verified number. If a request comes over email, make a phone call.
- Get verbal and/or written authorization for all financial transactions. Hackers are very good at making requests for financial transactions seem legitimate—an email can appear to come from your CEO with an urgent request for funds, and well-meaning accountants and CFOs will fulfill the request without hesitation. Don’t make any transfers until you have explicit approval in a different medium than the original request.
- If you aren’t expecting an attachment or link, do NOT click on it. If you receive an invoice, delivery receipt, résumé, or any kind of email attachment that you were not expecting, don’t open it—it could likely be infected with malware. If you think it might be legitimate, ask your IT team to determine whether the file is safe before clicking on it.
- Don’t plug any foreign USB/thumb drives into your machine. This is more common than you might think—bad actors will load USB drives with malware and leave them in an office, coffee shop, or anywhere that a curious person might pick it up and plug it in. If the drive isn’t yours, leave it alone.
- Use a password manager. Using strong passwords is good, but using a password manager is better. These programs help you create and organize your passwords, and many will flag any passwords that may have been compromised so that you can change them immediately.
- Use multi-factor authentication wherever possible. Multi-factor authentication adds another layer of security to your accounts in addition to your password. If you have this enabled, hackers who somehow obtain your passwords still won’t be able to access your accounts.
- Use a VPN, especially if you’re using free public WiFi. Unsecured WiFi connections are an easy way for hackers to intercept sensitive information. If you have to use an open connection, use a Virtual Private Network (VPN) to shield your activity from prying eyes.
- Back up everything. Most organizations have their servers backed up. Make sure your laptops and cloud file storage systems are backed up, too. In some cases of potent malware infection, restoring your data from backup is the only way to recover.
- If you think you’ve been compromised, shut off your machine and call your IT team. If you suspect you may have clicked an infected link or attachment, or browsed to a malicious site, shut off your device immediately so that the infection doesn’t spread. Then call your IT team so that they can handle it for you.
If your organization doesn’t yet have a formal Security Awareness Training program in place, we urge you to consider implementing one soon. We include this service in our fixed-price IT support solution for our clients given how absolutely critical education is to a company’s overall security posture.
education, reinforcement, phishing simulations, and more, these programs will
train your staff how to avoid social engineering scams, and generally how to
become your business’s strongest line of
defense against a cyberattack.
Because when it comes to security, the old adage rings true: knowledge is, indeed, power.